[EMAIL PROTECTED] wrote:
stas 2004/08/08 10:56:53
Added: t/hooks authen_digest.t t/hooks/TestHooks authen_digest.pm Log: digest auth test
cool! I love that people are becoming as interested in Digest auth as I am :)
I wasn't really getting interested, just needed to write a test for
$r->note_digest_auth_failure. But as I never wrote a digest one, it was a learning experience (and it was handy to have the modperl cookbook for that :). Though I didn't go all the way through, just very basic...
the only comment that I would make is that these tests aren't really testing the right thing.
the only apache API we have access to is $r->note_digest_auth_failure, which has the job of setting a proper WWW-Authenticate header. the current tests only really test this by accident, relying on LWP's Digest implementation to handle the header appropriately.
right, that's exactly the purpose of this test: test $r->note_digest_auth_failure, no more and no less. So no accidents here.
so, really what I would do is manually check for the 401, which would indicate that Apache::HTTP_UNAUTHORIZED was returned, and check for WWW-Authenticate (and its properties), which would indicate that $r->note_digest_auth_failure was called (and given the proper fields, like the Realm).
all the rest of the server side code is really unnecessary as well - you could easily use $r->args to toggle whether $r->note_digest_auth_failure is called. not that there is anything wrong with coding the server-side auth foo yourself, but what happens now is that someone who uses the tests as an example doesn't see that a) there is are CPAN modules to do this and b) that the implementation is imperfect, since it only handles the old digest auth scheme and not the newer one (where stuff like qop is important).
Yeah, I saw that qop thing in LWP implementation, but I didn't try to figure out what is it for. Rushing to get the API covered...
Just add a comment, 'do not use that code for real-world apps' and see: Geoff's CPAN directory and articles for how to do it right. Even better I'd love to see your articles which hardly anybody knows about merged into the core docs, where they will be of outmost value.
I plan to split src/docs/2.0/user/handlers/http.pod into as many chapters as there are HTTP phases, so that each can include a complete extensive tutorial (similar to your cookbook). And since I've mentioned the book, may be better follow your exact layout and bundle AAA together, but may be not (if it makes the docs too long).
so, there's nothing wrong with the tests per-se, but it seems to me to be lots of unnecessary work that is (perhaps) not even really testing the right thing.
Feel free to improve it, as long as $r->note_digest_auth_failure is tested.
-- __________________________________________________________________ Stas Bekman JAm_pH ------> Just Another mod_perl Hacker http://stason.org/ mod_perl Guide ---> http://perl.apache.org mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com http://modperlbook.org http://apache.org http://ticketmaster.com
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
